From bda1029633609d6e69564aa3a4aada67e4f6fe75 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Thu, 13 Jan 2022 01:12:07 +0000 Subject: [PATCH] Fix FIPS issues in native code and with initialisation of java.security.Security --- java-17-openjdk.spec | 15 ++++++++-- ...263-fips_ensure_security_initialised.patch | 28 +++++++++++++++++++ rh2021263-fips_missing_native_returns.patch | 24 ++++++++++++++++ 3 files changed, 64 insertions(+), 3 deletions(-) create mode 100644 rh2021263-fips_ensure_security_initialised.patch create mode 100644 rh2021263-fips_missing_native_returns.patch diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 9b78b14..bf6aec3 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -298,7 +298,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 12 -%global rpmrelease 13 +%global rpmrelease 14 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1281,6 +1281,9 @@ Patch1010: rh1996182-login_to_nss_software_token.patch Patch1012: rh1996182-extend_security_policy.patch # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false Patch1013: rh1991003-enable_fips_keys_import.patch +# RH2021263: Resolve outstanding FIPS issues +Patch1014: rh2021263-fips_ensure_security_initialised.patch +Patch1015: rh2021263-fips_missing_native_returns.patch ############################################# # @@ -1700,6 +1703,9 @@ popd # openjdk %patch1011 %patch1012 %patch1013 +%patch1014 +%patch1015 + %patch2000 # Extract systemtap tapsets @@ -2460,7 +2466,10 @@ cjc.mainProgram(args) %endif %changelog -* Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-12.rolling +* Thu Jan 13 2022 Andrew Hughes - 1:17.0.1.0.12-14.rolling +- Fix FIPS issues in native code and with initialisation of java.security.Security + +* Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-13.rolling - Storing and restoring alterntives during update manually - Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE -- The move of alternatives creation to posttrans to fix: @@ -2480,7 +2489,7 @@ cjc.mainProgram(args) * Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-10.rolling - replaced tabs by sets of spaces to make rpmlint happy -* Mov Nov 29 2021 Andrew Hughes - 1:17.0.1.0.12-9.rolling +* Mon Nov 29 2021 Andrew Hughes - 1:17.0.1.0.12-9.rolling - Handle Fedora in distro conditionals that currently only pertain to RHEL. * Thu Nov 18 2021 Jiri Vanek - 1:17.0.0.0.35-8 diff --git a/rh2021263-fips_ensure_security_initialised.patch b/rh2021263-fips_ensure_security_initialised.patch new file mode 100644 index 0000000..8dc0122 --- /dev/null +++ b/rh2021263-fips_ensure_security_initialised.patch @@ -0,0 +1,28 @@ +commit 4ac1a03b3ec73358988553fe9e200130847ea3b4 +Author: Andrew Hughes +Date: Mon Jan 10 20:19:40 2022 +0000 + + RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance + +diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index 5a2c9eb0c46..a1ee182d913 100644 +--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -39,6 +39,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -449,6 +450,9 @@ public class SharedSecrets { + } + + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } + return javaSecuritySystemConfiguratorAccess; + } + } diff --git a/rh2021263-fips_missing_native_returns.patch b/rh2021263-fips_missing_native_returns.patch new file mode 100644 index 0000000..5a056ce --- /dev/null +++ b/rh2021263-fips_missing_native_returns.patch @@ -0,0 +1,24 @@ +commit 8f6e35dc9e9289aed290b36e260beeda76986bb5 +Author: Fridrich Strba +Date: Mon Jan 10 19:32:01 2022 +0000 + + RH2021263: Return in C code after having generated Java exception + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 38919d6bb0f..caf678a7dd6 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -151,11 +151,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled);